avcodec/hevcdec: Fix signed integer overflow in decode_lt_rps()

Fixes: runtime error: signed integer overflow: 2147483647 + 6 cannot be represented in type 'int' Fixes: 2263/clusterfuzz-testcase-minimized-4800359627227136 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
author: Michael Niedermayer <michael@niedermayer.cc> 2017-06-17 00:34:08 +0200
committer: Michael Niedermayer <michael@niedermayer.cc> 2017-06-17 00:34:48 +0200
commit: 1edbf5e20c75f06d6987bc823e63aa4e649ccddd (patch)
tree: 21c9de9fb136585d9ff8474712fd77cf0d3b92f3 /libavcodec
parent: 9b65dbf7349aace16f7ca65f7cef1a368e2d83d9 (diff)
1 files changed, 6 insertions, 2 deletions
diff --git a/libavcodec/hevcdec.c b/libavcodec/hevcdec.c
index 32703f090a..3dc3669d67 100644
--- a/libavcodec/hevcdec.c
+++ b/libavcodec/hevcdec.c
@@ -273,12 +273,16 @@ static int decode_lt_rps(HEVCContext *s, LongTermRPS *rps, GetBitContext *gb)
 
         delta_poc_msb_present = get_bits1(gb);
         if (delta_poc_msb_present) {
-            int delta = get_ue_golomb_long(gb);
+            int64_t delta = get_ue_golomb_long(gb);
+            int64_t poc;
 
             if (i && i != nb_sps)
                 delta += prev_delta_msb;
 
-            rps->poc[i] += s->poc - delta * max_poc_lsb - s->sh.pic_order_cnt_lsb;
+            poc = rps->poc[i] + s->poc - delta * max_poc_lsb - s->sh.pic_order_cnt_lsb;
+            if (poc != (int32_t)poc)
+                return AVERROR_INVALIDDATA;
+            rps->poc[i] = poc;
             prev_delta_msb = delta;
         }
     }
author	Michael Niedermayer <michael@niedermayer.cc>	2017-06-17 00:34:08 +0200
committer	Michael Niedermayer <michael@niedermayer.cc>	2017-06-17 00:34:48 +0200
commit	1edbf5e20c75f06d6987bc823e63aa4e649ccddd (patch)
tree	21c9de9fb136585d9ff8474712fd77cf0d3b92f3 /libavcodec
parent	9b65dbf7349aace16f7ca65f7cef1a368e2d83d9 (diff)